b' REVIEW OF DOT PRIVACY\nPOLICIES AND PROCEDURES\n\n   Department of Transportation\n\n   Report Number: FI-2008-077\n  Date Issued: September 9, 2008\n\x0c               U.S. Department of\n                                                              Memorandum\n               Transportation\n               Office of the Secretary\n               of Transportation\n               Office of Inspector General\n\n\nSubject:   ACTION: Review of DOT Privacy Policies and                               Date:    September 9, 2008\n           Procedures\n           Report Number FI-2008-077\n  From:    Rebecca C. Leng                                                       Reply to\n                                                                                 Attn. of:   JA-20\n           Assistant Inspector General for Financial\n           and Information Technology Audits\n    To:    Daniel G. Mintz\n           Chief Information and Privacy Officer, DOT\n\n           This report summarizes the results of our audit of the Department of\n           Transportation\xe2\x80\x99s (DOT) protection of privacy information. DOT has determined\n           that more than 100 of its 429 computer systems contain personally identifiable\n           information (PII) about the public and DOT employees. Twelve of the\n           13 Operating Administrations in DOT, including the Office of Inspector General\n           (OIG), contain at least one system with privacy information.\n\n           In the Fiscal Year 2005 Consolidated Appropriations Act for Transportation,\n           Treasury, Independent Agencies, and General Government, 1 Congress required\n           agencies to enhance the protection of the PII that it collects and uses. The Act\n           required agencies to create a Chief Privacy Officer position, submit a benchmark\n           report on the privacy program to Congress and the Inspector General, and have an\n           independent audit of the privacy program performed.\n\n           We contracted with an independent firm to perform the audit, as required by law.\n           In addition to this contract audit, OIG has conducted other privacy-related audits 2\n\n\n\n\n           1\n               Public Law 108-447.\n           2\n               Audit of Security and Controls Over the National Driver Register, OIG Report Number FI-2008-003,\n               October 29, 2007; DOT\xe2\x80\x99s Information Security Program, OIG Report Number FI-2007-002, October 23,\n               2006, and OIG Report Number FI-2008-001, October 10, 2007. All of these publications can be found on\n               our Web site at www.oig.dot.gov.\n\x0c                                                                                                       2\n\n\nand is in the process of reviewing systems that contain PII concerning millions of\ncommercial vehicle drivers and airmen. 3\n\nThe objectives of this audit were to determine whether (1) the necessity of using PII\nfor processing was properly evaluated; (2) the Department had established adequate\nprocedures governing the collection, use, and security of PII; and (3) Operating\nAdministrations properly complied with prescribed procedures to prevent\nunauthorized access to, or unintended use of, PII.\n\nThe audit was completed by Clifton Gunderson, LLP, of Calverton, Maryland,\nunder contract to the DOT OIG, and by OIG staff in accordance with generally\naccepted government auditing standards as prescribed by the Comptroller General\nof the United States and included such tests as we considered necessary to detect\nfraud, waste, or abuse. We performed a quality control review of the audit work\nperformed by Clifton Gunderson to ensure that it complied with generally accepted\ngovernment auditing standards. In our opinion, Clifton Gunderson\xe2\x80\x99s audit work\ncomplied with applicable standards. Details of the scope and methodology can be\nfound in Exhibit A.\n\n\nFINDINGS\n\nClifton Gunderson concluded that DOT made significant progress in addressing its\nstatutory responsibilities under the Act by designating a senior official\xe2\x80\x94the\ndepartmental Chief Information Officer\xe2\x80\x94to be the Chief Privacy Officer. 4 The\nChief Information and Privacy Officer issued a privacy benchmark report to\nCongress and the OIG in September 2006. His office also maintains an inventory\nof PII systems.\n\nClifton Gunderson also concluded that DOT has established proper procedures and\na framework for assessing the necessity of using PII and the collection, use, and\nsecurity of PII. However, tests of 20 sample PII systems identified deficiencies in\ncompliance with the prescribed procedures. (The contractor\xe2\x80\x99s complete report can\nbe found in Appendix A). As shown in the table on pages 15 and 16, 15 of the 20\nsystems sampled had at least one control deficiency.\n\n\n\n\n3\n  Audit initiated on Information Security and Privacy Controls of FAA Medical Support System, OIG Project\n   Number 08F3006F000, February 28, 2008; and audit initiated on Data Integrity of the Commercial\n   Driver\xe2\x80\x99s License Information System, OIG Project Number 08F3003F000, December 5, 2007.\n4\n  Day-to-day oversight of DOT PII compliance operations is delegated to the privacy officers in the Chief\n   Information Officer\xe2\x80\x99s office and in individual Operating Administrations.\n\x0c                                                                                    3\n\n\nThe following summarizes the contractor\xe2\x80\x99s findings:\n\n 1. The DOT Privacy Office did not provide evidence to support the effectiveness\n    of procedures used in evaluating and identifying Operating Administration\n    systems containing PII. The departmental privacy office had evaluation\n    documents for only the 109 systems contained in its PII inventory. The office\n    could not provide completed evaluations to support that no PII is stored in 320\n    of DOT\xe2\x80\x99s 429 systems. DOT has no assurance that all systems containing PII\n    have been identified for protection.\n\n 2. Deficiencies existed in DOT\xe2\x80\x99s collection, security protection controls, and\n    notification of the public concerning PII system data. The contractor found\n    that 9 of 20 sampled systems requiring a System of Records Notice (SORN)\n    did not have one published. As a result, the public was not properly notified of\n    the intended use of the information collected from it. In addition, 1 of 20\n    systems requiring a Privacy Impact Assessment (PIA) did not have one\n    performed and 2 of 5 sampled systems that share privacy information with\n    outside agencies did not have memoranda of understanding to ensure proper\n    security protection of PII by the recipient agencies.\n\n 3. Twelve of the 20 sampled PII systems did not encrypt their PII data for\n    network transmission. This is in direct noncompliance with DOT PII security\n    policy 2006-22 for protection of PII. This can lead to unauthorized review of\n    these data during transmission and/or exploitation of these systems for\n    malicious intent.\n\n 4. Four of the 20 sampled PII systems did not have basic DOT password security\n    controls, such as appropriate password length and complexity, password\n    expiration, number of invalid log-in attempts, and session time-out expiration.\n    Lack of compliance with these DOT security control policies could enable\n    unauthorized users to crack passwords and obtain access to PII systems and\n    data.\n\n 5. The departmental and Operating Administration privacy officers did not\n    receive more privacy regulation and PII security protection training than the\n    average departmental employee. This may have directly affected the privacy\n    officers\xe2\x80\x99 ability to understand the statutory requirements necessary to identify\n    PII systems and fully implement adequate security protection controls over\n    their PII systems identified in this audit.\n\n Further, the Act requires privacy officials to ensure that the use of technology does\n not erode protection of privacy information. However, in a matter that we view as\n also related to training and that was not part of the contractor\xe2\x80\x99s report, DOT\n experienced an incident during early 2007 in which one of its privacy officers\n\x0c                                                                                                        4\n\n\nstored PII on a home computer with peer-to-peer file-sharing capabilities. As a\nresult, an unauthorized user on the Internet was able to download this\ninformation. 5 Enhanced privacy and security training may have prevented this\nincident.\n\nIn conjunction with the contractor\xe2\x80\x99s review, OIG staff examined security\nprotection of the Web sites developed for two sampled systems. 6 Web\ntechnologies are commonly used to allow authorized users to access information\nfrom the Internet. OIG staff identified significant deficiencies in these Web sites\nthat could allow Internet hackers to gain unauthorized access to the PII stored in\nthese two systems. 7 This occurred because these Web sites were not properly\nconfigured in accordance with departmental standards.\n\nWe also noted that the departmental privacy officer does not report directly to the\nChief Information and Privacy Officer. The Chief Information and Privacy\nOfficer delegated the responsibility of establishing privacy policies and managing\nthe Department\xe2\x80\x99s privacy program to the departmental privacy officer. However,\nthis key position reports to the Acting Chief Information Security Officer, who in\nturn reports to the Chief Information and Privacy Officer and whose primary\nresponsibility is information security, not privacy. In our opinion, this\norganizational structure has reduced the visibility of the privacy program and was\na major contributing factor to the deficiencies identified in this audit. Having the\ndepartmental privacy officer report directly to the Chief Information and Privacy\nOfficer could increase management awareness and provide closer scrutiny of\nOperating Administrations\xe2\x80\x99 corrective actions.\n\nWe provided a draft report to the DOT Chief Information and Privacy Officer for\ncomment on July 8, 2008, and on August 19th we received the response. The\nChief Information and Privacy Officer concurred or concurred in part with all of\nour recommendations, and stated that his office is in the process of acquiring and\nimplementing technology to ensure that no PII can be obtained from DOT systems\nand infrastructure by unauthorized parties. The response can be found in its\nentirety in Appendix B.\n\n\n\n\n5\n  Testimony of Daniel G. Mintz, Chief Information Officer, DOT, before the Committee on Oversight and\n  Government Reform, House of Representatives, July 24, 2007.\n6\n  Web technologies were used in 4 of 20 sampled systems. Due to logistical limitations, we were able to\n  examine only two systems.\n7\n  For security reasons, specifics concerning the weaknesses and vulnerabilities that we identified and our\n  audit procedures are not discussed in this report but were provided to Operating Administration privacy\n  officers.\n\x0c                                                                                5\n\n\nRECOMMENDATIONS\n\nBased on both Clifton Gunderson and OIG findings, we recommend that the\ndepartmental Chief Information and Privacy Officer:\n\n1. Require system owners to submit evaluation results on whether PII exists in the\n   320 systems that were not included in the DOT Privacy Office inventory.\n\n2. Require system owners of sampled systems to correct privacy protection\n   deficiencies identified in the areas of missing SORNs, PIAs, and memoranda\n   of understanding with outside agencies when sharing PII; and notify system\n   owners of remaining PII systems to check whether they need to take similar\n   corrective actions.\n\n3. Require Operating Administration privacy officers to implement a process\n   under which future systems are subject to periodic review to ensure that\n   SORNs are initiated and posted, PIAs are developed, and memoranda of\n   understanding with outside agencies are documented; and that such elements\n   are appropriately updated when systems undergo change.\n\n4. Encrypt all PII data transmitted over the Department\xe2\x80\x99s communications\n   network.\n\n5. Require system owners of sampled systems to correct security deficiencies\n   concerning password security controls, invalid log-in attempts, and session\n   time-out expiration; and notify system owners of remaining PII systems to\n   check whether they need to take similar corrective actions.\n\n6. Require Operating Administration privacy officers to implement a process\n   under which periodic performance checks are carried out to ensure that all PII\n   systems remain in full compliance with DOT security policies.\n\n7. Provide enhanced privacy security training for Operating Administration\n   privacy officers, who are responsible for implementing annual privacy\n   practices in their respective organizations.\n\n8. Require system owners of sampled systems to correct security deficiencies\n   found in their Web sites; and notify system owners of remaining PII systems to\n   check whether they need to take similar corrective actions.\n\n9. Increase the visibility of the DOT Privacy Program by having the departmental\n   privacy officer report directly to the Chief Information and Privacy Officer.\n\x0c                                                                                6\n\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\nWe provided a draft report to the DOT Chief Information and Privacy Officer for\ncomment on July 8, 2008, and on August 19th we received the response. The\nChief Information and Privacy Officer concurred or concurred in part with all of\nour recommendations, and stated that his office is in the process of acquiring and\nimplementing technology to ensure that no PII can be obtained from DOT systems\nand infrastructure by unauthorized parties. The response can be found in its\nentirety in Appendix B.\n\nIn general, management actions\xe2\x80\x94begun and planned\xe2\x80\x94adequately address the\nintent of our recommendations, with the exception of recommendations 1 and 4.\nThe responses to our recommendations are summarized as follows:\n\nRecommendation 1: The Chief Information and Privacy Officer concurred. In\nthe response, it was stated that the results of an August 2007 survey of all DOT\nsystems to determine which contained PII are now available for Office of\nInspector General review\xe2\x80\x94including those not previously made available.\nHowever, our review of the new information provided by management still found\nno support that PII was not contained in the 320 systems questioned in our report.\nTherefore, as originally recommended, the Chief Information and Privacy Officer\nshould require system owners to submit evaluation results to ensure that PII does\nnot exist in these 320 systems.\n\nWhile not part of our recommendation, the Privacy Office has proposed that a\nPrivacy Threshold Analysis be performed during initial system certification and\naccreditation and reaccreditation to determine whether the system contains PII.\nThe Office of the Chief Information and Privacy Officer has set a target date of\nMarch 31, 2009, for implementation. We support this planned action.\n\nRecommendation 2: The Chief Information and Privacy Officer concurred.\nSystem owners responsible for missing or outdated Privacy Impact Assessments\nand Systems of Records Notices have been notified for correction, and owners of\nsystems containing PII will be notified, by March 31, 2009, to address and update\nmemoranda of understanding with outside agencies.\n\nRecommendation 3: The Chief Information and Privacy Officer concurred. The\nrecommended actions\xe2\x80\x94requiring Operating Administration privacy officers to\nimplement a process under which future systems are subject to periodic review for\ninitiation and posting of Systems of Records Notices, development of Privacy\nImpact Assessments, and documentation of memoranda of understanding with\noutside agencies\xe2\x80\x94coincide with DOT\xe2\x80\x99s privacy policy and will be implemented\n\x0c                                                                                 7\n\n\nthrough appropriate direction to Operating Administration CIOs and privacy\nofficers, and in DOT/CIO policy by March 31, 2009.\n\nRecommendation 4: The Chief Information and Privacy Officer concurred. His\noffice is presently conducting a detailed analysis of system and encryption\nrequirements and anticipates that this analysis will be completed by March 31,\n2009. Based on the analysis, a detailed action plan will then be developed to\nimplement encryption requirements.\n\nWhile the Chief Information and Privacy Officer provided us with a plan of action\nand date of completion for the analysis of encryption requirements, no date was\nprovided for the completion of actually encrypting the transmission of PII over the\nDepartment\xe2\x80\x99s network. The Chief Information and Privacy Officer should provide\na target date for completing this action, which has been a departmental\nrequirement since 2006.\n\nRecommendation 5: The Chief Information and Privacy Officer concurred. He\nanticipates that systems containing PII can be secured by July 31, 2009. In\naddition, his office will address issues identified in the report with Operating\nAdministration CIOs, information system security officers, privacy officers,\nsystem owners, and other responsible parties.\n\nRecommendation 6: The Chief Information and Privacy Officer concurred. His\noffice will issue a directive by December 31, 2008 for Operating Administration\nprivacy officers to conduct performance checks to ensure that they remain in full\ncompliance with DOT security policies.            A final policy memorandum,\nincorporating feedback from the directive, will be issued by March 31, 2009.\n\nRecommendation 7: The Chief Information and Privacy Officer concurred. By\nwritten notification to modal privacy officers, he will require the owners of\nsampled systems to correct security deficiencies on their Web sites. He will also\ndirect modal privacy officers, CIOs, and information system security officers to\nwork with owners of all systems containing PII to identify any necessary\ncorrective actions and develop corrective action plans by March 31, 2009.\n\nRecommendation 8: The Chief Information and Privacy Officer concurred. He\nhas recommended specialized training for Operating Administration privacy\nofficers, and his office will establish such requirements\xe2\x80\x94both for content and\nfrequency\xe2\x80\x94by March 31, 2009.\n\nRecommendation 9: The Chief Information and Privacy Officer partially\nconcurred. He cited a tradeoff between increasing the visibility of the DOT\nPrivacy Program by having the departmental privacy officer report directly to the\n\x0c                                                                                   8\n\n\nChief Information and Privacy Officer versus keeping the current reporting\nrelationship. While acknowledging that increased visibility for the Privacy Office\nwould be beneficial, he cited the \xe2\x80\x9csynergies\xe2\x80\x9d and \xe2\x80\x9cmore efficient use of staff\ncollectively\xe2\x80\x9d as reasons for favoring the current structure. He further stated that\nperhaps some of the issues identified in our report resulted from personnel changes\noccurring at the time of our review and, therefore, that such a reporting shift might\nnot accomplish much.\n\nTherefore, the Chief Information and Privacy Officer favored leaving the current\nstructure as is for the next fiscal year\xe2\x80\x94focusing on implementing suggested\nchanges, enhancing associated internal auditing reviews, and developing more\ntransparent measures of operating status\xe2\x80\x94then reexamining whether changing the\nreporting structure is needed at the end of Fiscal Year 2009. This planned action\nmeets the intent of our recommendation. We plan to follow up on this issue\nthrough next year\xe2\x80\x99s review of the Department\xe2\x80\x99s information security program.\n\n\nACTIONS REQUIRED\nExcept for recommendations 1 and 4, the actions begun and planned by the Chief\nInformation and Privacy Officer are responsive to our recommendations and are\nconsidered resolved subject to follow-up requirements in DOT Order 8000.1C.\nWe would appreciate receiving the Chief Information and Privacy Officer\xe2\x80\x99s\nupdated response to include revised completion dates for recommendations 1 and\n4 within 30 days.\n\nWe appreciate the courtesies and cooperation of the DOT Office of the Chief\nInformation and Privacy Officer, DOT Operating Administration privacy officers,\nand Clifton Gunderson representatives during this audit. If you have any\nquestions concerning this report, please call me at (202) 366-1407 or\nNathan Custer, Program Director, at (202) 366-5540.\n\n\n\n                                         #\n\ncc: General Counsel\n    DOT Chief Information Officer\xe2\x80\x99s Council Members\n    Martin Gertel, M-1\n\x0c                                                                                  9\n\nEXHIBIT A. SCOPE AND METHODOLOGY\nThis audit was conducted by Clifton Gunderson, LLP, of Calverton, Maryland, under\ncontract to DOT OIG, and by OIG staff. The audit was conducted at selected DOT\nOperating Administrations in Washington, D.C. and field sites. The following\nsummarizes the contractor\xe2\x80\x99s scope and methodology:\n\n   \xe2\x80\xa2 The contractor reviewed DOT\xe2\x80\x99s benchmark report to the OIG prepared in\n     fulfillment of Section 522-c of the Appropriations Act and dated September 26,\n     2006.\n\n   \xe2\x80\xa2 The contractor reviewed and analyzed privacy policies, guidance, and reports,\n     and interviewed officials from the Privacy Office.\n\n   \xe2\x80\xa2 The contractor analyzed the System of Records Notice and Privacy Impact\n     Assessment development processes and assessed the progress of the office in\n     implementing these processes.\n\n   \xe2\x80\xa2 The contractor selected a representative sample of 20 systems for testing of\n     security controls, publication of System of Records Notice, and performance of\n     the Privacy Impact Assessment.\n\nDetails can be found on pages 18, 19, and 20 of Appendix A of this report.\n\nThe OIG staff examined security protection of Web sites developed for two sampled\nsystems. We did this by examining policies and procedures, observing controls in\noperation, and using a commercial tool to assess the vulnerability of the Web sites.\n\nThe audit work was performed between December 2007 and May 2008. This\nperformance audit was conducted in accordance with generally accepted government\nauditing standards prescribed by the Comptroller General of the United States and\nincluded such tests as we considered necessary to detect fraud, waste, and abuse.\n\n\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                            10\n\nEXHIBIT B. MAJOR CONTRIBUTORS TO THIS REPORT\n\n\nName                                            Title\n\nNathan Custer                                   Program Director\n\nDr. Ping Sun                                    Program Director for IT\n                                                Audit Computer Laboratory\n\nJames Mallow                                    Contracting Officer\xe2\x80\x99s\n                                                Technical Representative\n\nMichael P. Fruitman                             Communications Adviser\n\nVasily Gerasimov                                Information Technology\n                                                Specialist\n\n\n\n\nExhibit B. Majors Contributors to This Report\n\x0c                                                                               11\n\n\n\nAPPENDIX A. REPORT ON THE 2007 REVIEW OF DOT\xe2\x80\x99s\nCOMPLIANCE WITH SECTION 522 OF THE CONSOLIDATED\nAPPROPRIATIONS ACT OF 2005\n\n\n\n  UNITED STATES DEPARTMENT OF\n    TRANSPORTATION (US-DOT)\n\n\n\n\n        Report on the 2007 Review of DOT\xe2\x80\x99s\n        Compliance with Section 522 of the\n       Consolidated Appropriations Act, 2005.\n      (Policies, Procedures & Practices for Protection of\n             Personally Identifiable Information)\n\n\n                        Clifton Gunderson LLP\n                           February 29, 2008\n\n\nAppendix A. Report on the 2007 Review of DOT\xe2\x80\x99s Compliance with Section 522 of the\nConsolidated Appropriations Act of 2005\n\x0c                                                                                                            12\n\n\n\n\nMs. Rebecca C. Leng\nAssistant Inspector General for Financial and\n  Information Technology Audits\nOffice of the Inspector General\nU.S. Department of Transportation\n1200 New Jersey Avenue SE\nWashington, DC 20590\n\nDear Ms. Leng\nWe are pleased to present our report on the Department of Transportation\xe2\x80\x99s (DOT) compliance with\nprotection of personal data in an identifiable form. This review included assessing compliance with\napplicable federal security and privacy laws and regulations as well as assessing the privacy and data\nprotection procedures used by DOT as they relate to the guidelines set forth in Section 522-d of the\nOmnibus Spending Bill for Transportation, Treasury, Independent Agencies, and General Government Appropriations\nAct of 2005. The objective of our review was to determine whether: (1) the necessity of using personally\nidentifiable information for processing was properly evaluated; (2) the Department had established\nadequate procedures governing the collection, use and security of personally identifiable information; and\n(3) Operating Administrations (OAs) properly complied with the prescribed procedures to prevent\nunauthorized access to and unintended use of personally identifiable information.\nWe interviewed key personnel involved in identifying and protecting personally identifiable information\nand reviewed documentation supporting DOT\xe2\x80\x99s efforts to comply with federal privacy and security laws\nand regulations.\nThis performance evaluation was conducted from October 2007 to January 31, 2008 at the DOT\nheadquarters in Washington, DC and was conducted in accordance with Generally Accepted Government\nAuditing Standards.\nWe appreciate the opportunity to have served you once more and are grateful for the courtesy and\nhospitality extended to us by DOT personnel. Please do not hesitate to call me at (301) 931-2050 or\nemail at george.fallon@cliftoncpa.com if you have questions.\nSincerely,\n\n\nCLIFTON GUNDERSON LLP\n\n\n\n\nCalverton, Maryland\nFebruary 29, 2008\n\n11710 Beltsville Drive\nSuite 300\nCalverton, Maryland 20705\ntel: 301-931-2050\nfax: 301-931-1710\nwww.cliftoncpa.com                       Offices in 17 states and Washington, DC\n\nAppendix A. Report on the 2007 Review of DOT\xe2\x80\x99s Compliance With Section 522 of the\nConsolidated Appropriations Act of 2005\n\x0c                                                                                        13\n\nEXECUTIVE SUMMARY\n\nThe DOT Office of the Chief Information Officer (OCIO) Privacy Office has been\nproactive in carrying out its statutory responsibilities and its related role in ensuring\ncompliance with Section 522 of the General Government Appropriations Act of 2005.\nSpecifically, the Privacy Office has established a framework for identifying information\nsystems containing or processing personally identifiable information (PII), securing data\ncontained in these systems, conducting Privacy Impact Assessments (PIA) and reporting\nSystems of Records Notices (SORNs), all required by the Act. The Office of the Secretary\nof Transportation performs cyclical checks to ensure OA\xe2\x80\x99s comply with these requirements\nand maintains a weekly scorecard of these activities.\nBased on our review, DOT has (a) evaluated the necessity of using PII for data processing;\n(b) established procedures for the collection, use and security of PII and (c) Operating\nAdministrations complied with the prescribed procedures to prevent unauthorized access to\nand unintended use of PII. However more work remains to be accomplished. Specifically,\nwe noted the following:\nAlthough the DOT OCIO and Privacy Office have established policies and\nprocedures to protect DOT\xe2\x80\x99s PII systems and data, the Privacy Office does not\nproperly monitor its privacy processes for quality compliance with the provisions of\nSection 522.\n\n\xc2\xbe DOT did not provide evidence to support the effectiveness of the procedures used in\n  identifying and securing information systems containing PII. The Privacy Office could\n  not provide evidence that evaluations were performed for all four hundreds and twenty-\n  nine DOT systems that may potentially contain and/or process PII.\n\xc2\xbe DOT did not provide evidence that the Privacy Office had a structured format to\n  monitor the effectiveness and completeness of PIAs and SORNs implemented by the\n  different OAs on affected systems. (DOT did not have a permanent Departmental\n  Privacy Officer during our review period from October 2007 through January 2008).\n  Limited resources and/or personnel could account for this lack of adequate monitoring\n  resulting in the following:\n  o A Privacy Impact Assessment (PIA) had not been performed for one (1) out of\n      twenty (20) systems in our sample. This system contained public PII and required a\n      PIA.\n  o SORNs were not published for nine (9) out of twenty (20) sample systems tested.\n      While the Privacy Office has reviewed, approved, and issued new SORNs since its\n      establishment, we identified nine sampled systems did not have SORN notices\n      published. The department is not in compliance with the Office of Management and\n      Budget (OMB) requirements that SORNs be published and reviewed semi-annually,\n      nor can it be assured that the privacy implications of its many systems that process\n      and maintain PII have been fully and accurately disclosed to the public. These\n      notices should identify, among other things, the type of data collected, the types of\n      individuals about whom information is collected, and the intended uses of the data.\n\xc2\xbe DOT OAs had not established Memoranda of Understandings (MOU) for two (2) out\n  of five (5) systems from our sample of twenty systems that share privacy data with\n  external agencies. Also, the PIAs reviewed did not provide guidance on privacy\n\nAppendix A. Report on the 2007 Review of DOT\xe2\x80\x99s Compliance With Section 522 of\nthe Consolidated Appropriations Act of 2005\n\x0c                                                                                        14\n\n   information sharing with other agencies. These PIAs did not include measures to\n   escalate requests from federal agencies (law enforcement bureaus) that may require PII\n   for legitimate government business.\n\xc2\xbe DOT Privacy Office had not provided enhanced privacy security training to OA Privacy\n  Officers as well as their representatives who are responsible for deploying DOT\xe2\x80\x99s PII\n  policies at their respective OAs. DOT does provide its employees with security\n  awareness training. Per the responses on the OCIO FISMA template for September\n  2007, eighty-six percent of DOT employees have received security training for fiscal year\n  2007. Although security protection of PII data was part of these training courses, the\n  agency\xe2\x80\x99s Privacy Officers did not receive enhanced privacy security training to assist\n  them in understanding all integral parts of their job responsibilities.\n\nDOT technical controls related to the protection of personally identifiable\ninformation need to be strengthened.\n\n\xc2\xbe Twelve (12) out of twenty (20) sampled PII systems reviewed do not encrypt their PII\n  data and transmit this data over DOT\xe2\x80\x99s network in clear unencrypted text.\n\xc2\xbe Four (4) out of twenty (20) systems were non-compliant with DOT security policies\n  concerning basic password security requirements, specifically: (1) number of login\n  attempts on two systems in our sample (10%) was set to expire after six unsuccessful\n  logon attempts; (2) password parameters for one system requires the password to be\n  changed every 180 days contrary to DOT policy of 90 days; (3) One system had not\n  implemented secure password settings such as password complexity, number of invalid\n  login attempts, session expiration and password expiration.\n\nDOT consists of the Office of the Secretary and eleven individual OAs: the Federal Aviation\nAdministration (FAA), the Federal Highway Administration (FHWA), the Federal Motor\nCarrier Safety Administration (FMCSA), the Federal Railroad Administration (FRA), the\nNational Highway Traffic Safety Administration (NHTSA), the Federal Transit\nAdministration (FTA), the Maritime Administration (MARAD), the Saint Lawrence Seaway\nDevelopment Corporation, the Research and Special Programs Administration, the Bureau\nof Transportation Statistics, and the Surface Transportation Board.\nThe following table summarizes the sample of systems reviewed and exceptions noted:\n\n\n\n\nAppendix A. Report on the 2007 Review of DOT\xe2\x80\x99s Compliance With Section 522 of\nthe Consolidated Appropriations Act of 2005\n\x0c                                                                                            15\n\n\n                                                              Results of Tests\n                                                Systems of       Privacy\n                            System               Records          Impact           Technical\n #       OA               Description            Notices      Assessments           Controls\n1      FAA       Delphi tracking System        SORN not      null              null\n                 (DTF)                         published\n2      FAA       Enforcement Information       SORN not      PIA required     No data\n                 System (EIS)                  published     but not yet      encryption.\n                                                             developed\n3      FAA       MedXPress                     null          null             Password settings\n                                                                              not consistent\n                                                                              with DOT policy.\n                                                                              No data\n                                                                              encryption.\n4      FAA       Safety Performance Analysis   SORN not      null             Password settings\n                 System (SPAS)                 published                      not consistent\n                                                                              with DOT policy.\n                                                                              No data\n                                                                              encryption.\n5      FAA       Airman Registry               null          null             No data\n                 Modernization System                                         encryption.\n                 (RMS)\n6      FHWA      User Profile Access Control   null          null             null\n                 System (UPACS)\n\n7      FHWA      National Highway Institute    null          null             Password settings\n                 (NHI)                                                        not consistent\n                                                                              with DOT policy.\n8      FMCSA     Electronic Document           SORN not      null             null\n                 Management System             published\n                 (EDMS)\n9      FMCSA     Medical Exemption System      SORN not      null             No data\n                 (MEDEX)                       published                      encryption.\n10     FRA       Correspondence Control &      SORN not      null             Password settings\n                 Management System (CCM)       published                      not consistent\n                                                                              with DOT policy.\n                                                                              No data\n                                                                              encryption.\n11     FTA       DOTS/DOT2000 Financial        SORN not      null             No data\n                 Management System             published                      encryption.\n12     MARAD     MSCS                          null          null             null\n13     MARAD     Personnel Management          null          null             null\n                 Information System (PMIS)\n14     NHTSA     Motor Vehicle Importation     null          null             No data\n                 Information System (MVII)                                    encryption.\n15     OIG       Transportation Inspector      null          null             No data\n                 General Reporting System                                     encryption.\n                 (TIGR)\n\n\n\n     Appendix A. Report on the 2007 Review of DOT\xe2\x80\x99s Compliance With Section 522 of\n     the Consolidated Appropriations Act of 2005\n\x0c                                                                                                   16\n\n                                                                    Results of Tests\n                                                    Systems of         Privacy\n                               System                Records            Impact           Technical\n #        OA                 Description              Notices       Assessments           Controls\n16      OST         Security Operations System     SORN not        null              No data\n                                                   published                         encryption.\n17      OST         Investigative Tracking         null            null              null\n                    System\n18      PHMSA       HMIS                           null            null              null\n19      RITA        Volpe ADP Institutional        SORN not        null              No data\n                    Support Services               published                         encryption.\n                    (RITAX0013)\n20      STB         Case Management System         null            null              No data\n                                                                                     encryption.\n\n\n     BACKGROUND\n     The Privacy Act of 1974 requires agencies to "establish appropriate administrative, technical\n     and physical safeguards to ensure the security and confidentiality of records and to protect\n     against any anticipated threats or hazards to their security or integrity which could result in\n     substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom\n     the information is maintained," 5 U.S.C. \xc2\xa7 552a (e) (10). The Privacy Act limits agencies to\n     \xe2\x80\x9cmaintaining only such information about an individual as is relevant and necessary to\n     accomplish a purpose of the agency required to be accomplished by statute or Executive\n     order of the President,\xe2\x80\x9d 5 U.S.C. \xc2\xa7 552a (e) (1).\n     The E-Government Act of 2002 strives to enhance protection of personal information in\n     government information systems, by requiring the agencies to conduct PIAs. A PIA is an\n     analysis of how personal information is collected, stored, shared, and managed in a federal\n     system.\n     Today\'s DOT Privacy Program consists of a partnership between the Office of the Chief\n     Information Officer (OClO)/Privacy Office and the Office of the General Counsel (OGC).\n     Additionally, the program collaborates with DOT\'s Information Assurance\n     Office/OCIO/OST on those issues that incorporate both privacy and security, focusing\n     frequently on the security of technology that may adversely affect the privacy of individuals.\n     Section 522 of the 2005 Consolidated Appropriations Act for Transportation and Treasury,\n     Public Law 108-447, Division H, provides additional privacy requirements for DOT,\n     including the implementation of privacy policies and procedures for public and employee\n     data. The legislation also requires DOT to designate a Chief Privacy Officer. OMB\n     Memorandum-05-08 also requires each department to designate a Senior Agency Official for\n     Privacy. For DOT, the Chief Information Officer also serves as the Senior Agency Official\n     for Privacy.\n\n\n\n\n     Appendix A. Report on the 2007 Review of DOT\xe2\x80\x99s Compliance With Section 522 of\n     the Consolidated Appropriations Act of 2005\n\x0c                                                                                             17\n\nSection 522(c) of the above-mentioned Act further requires that DOT:\n       "...prepare a written report of its use of information in an identifiable form along\n       with its privacy and data protection policies and procedures and record it with the\n       Inspector General of the agency to serve as a benchmark for the agency. Each\n       report shall be signed by the agency privacy officer to verify that the agency intends\n       to comply with the procedures in the report. By signing the report, the privacy\n       officer also verifies that the agency is only using information in identifiable form as\n       detailed in the report. "\n\n\nDOT\xe2\x80\x99s use of personally identifiable information and related policies and procedures\n\n\nDOT collects and uses a significant amount of personally identifiable information of both\nemployees and the public. The DOT Privacy Program is administrated within DOT\'s OCIO\nand OGC, both located in the Office of the Secretary of Transportation (OST).\nThe goal of the DOT Privacy Program is the protection of PII. The program provides\nleadership and assistance to DOT\'s OAs on issues related to the Privacy Act of 1974, E-\nGovernment Act of 2002 and related Office of Management and Budget (OMB) privacy\nguidance.\nThe DOT Privacy Program has an on-going initiative to grow the skills, knowledge and\ncapabilities of the privacy officers of all OAs (who are on the front line of the DOT\xe2\x80\x99s efforts\nto enhance privacy protection).\nIn conformity with the 2005 Consolidated Appropriations Act, the DOT\xe2\x80\x99s Office of the\nChief Information Officer published a Privacy Benchmark report in September 2006. This\nreport was sent to the DOT OIG and to Congress. This report outlines the following areas:\n\n\xe2\x80\xa2   DOT Privacy Program: Includes an overview of DOT\xe2\x80\x99s privacy management program\n    established in 2003 and Section 522 benchmark-reporting requirement.\n\xe2\x80\xa2   DOT Use of PII, Privacy and Data Protection Policies and Procedures: Includes an overview of\n    efforts used to track PII, DOT privacy officer\xe2\x80\x99s compliance efforts, DOT-wide policies\n    and procedures developed or drafted to date in compliance with various privacy laws,\n    regulations and OMB guidance, and other key privacy initiatives.\n\xe2\x80\xa2   OA Use of PII and Privacy Practices: Includes reports on each OA\'s specific PII and privacy\n    program activities.\n\nDOT\xe2\x80\x99s mission is to ensure a safe and efficient national transportation system. In doing so,\nDOT is required to collect and use a significant amount of personal information from\nemployees and the public for both administrative and operational initiatives. To ensure\ninformation collected is secure, DOT has appointed a departmental privacy officer located\nwithin the OCIO, as well as privacy officers within each OA. In addition to providing\nleadership on DOT-wide policies and procedures, the DOT Privacy Program works\ncollaboratively with each OA\xe2\x80\x99s privacy officer to guide and support their privacy awareness\nand compliance efforts. The methodology is based upon the following:\n\n\n\nAppendix A. Report on the 2007 Review of DOT\xe2\x80\x99s Compliance With Section 522 of\nthe Consolidated Appropriations Act of 2005\n\x0c                                                                                           18\n\n\n\xe2\x80\xa2   Establish the priority, authority, and responsibility,\n\xe2\x80\xa2   Assess current privacy environment,\n\xe2\x80\xa2   Organize resources necessary for the project\'s goals,\n\xe2\x80\xa2   Develop policies, procedures and practices,\n\xe2\x80\xa2   Implement policies, practices and procedures,\n\xe2\x80\xa2   Maintain the policies, practices and procedures,\n\xe2\x80\xa2   Manage the exceptions and/or problems with the policies, practices and procedures.\n\nIn compliance with this requirement, DOT undertook a review of the use of PII and privacy\npolicies and procedures at both the DOT-wide and OA levels. In preparing the ensuing\nprivacy benchmark report, the DOT Privacy Officer obtained input from each OA Privacy\nOfficer on their specific privacy activities.\nThe DOT privacy officer maintains an inventory of all information technology systems that\ncollect, use, and share public or employee PII. As of the date of this report, there are 109\nsuch systems. The FAA, FMCSA, and FHWA maintain the largest number of PII systems.\nGiven the significant amount of sensitive PII data handled by the DOT, the DOT Privacy\nOfficer continually works to track PII use and identify weaknesses that may require\ncorrective action at the program or system level. A critical part of this process involves the\nreview of PIAs and SORNs (if applicable) that are prepared by each PII system owner. In\nsome cases, however, a PII system may be exempt from the requirement to perform a PIA if\nthis system was created or implemented prior to the enactment of the E-Government Act of\n2002. The DOT Privacy Office maintains a list of all PII systems that have completed a PIA\nor SORN and is responsible for posting all final PIAs and SORNs on the DOT Privacy\nProgram web page.\n\nSCOPE AND METHODOLOGY\n\nDOT\xe2\x80\x99s OIG contracted with Clifton Gunderson LLP to conduct an audit of DOT\xe2\x80\x99s privacy\nand data protection policies and procedures in compliance with Section 522. The objective\nof this review was to assess the progress of DOT\xe2\x80\x99s Privacy Office in carrying out its\nresponsibilities under federal law, more specifically, to determine whether: (1) the necessity\nof using personally identifiable information for processing was properly evaluated; (2) DOT\nhad established adequate procedures governing the collection, use and security of personally\nidentifiable information; and (3) Operating Administrations (OAs) properly complied with\nthe prescribed procedures to prevent unauthorized access to and unintended use of\npersonally identifiable information.\nTo address this objective, we reviewed federal statutes including the Privacy Act of 1974\nand Section 208 of the E-Government Act, to identify responsibilities of DOT\xe2\x80\x99s Privacy\nOffice. We reviewed and analyzed privacy policies, guidance, and reports, and interviewed\nwith officials from the Privacy Office. The personnel interviewed included the Chief\nPrivacy Officer (CPO) to identify privacy office\xe2\x80\x99s plans, priorities, and processes for\nimplementing its responsibilities using available resources.\n\n\n\n\nAppendix A. Report on the 2007 Review of DOT\xe2\x80\x99s Compliance With Section 522 of\nthe Consolidated Appropriations Act of 2005\n\x0c                                                                                                          19\n\nWe further evaluated the Privacy Office policies, guidance, and processes for ensuring\ncompliance with the Privacy Act, and the E-Government Act. We analyzed the SORNs\nand PIA development processes and assessed the progress of the office in implementing\nthese processes. This analysis included analyzing the Privacy Office\xe2\x80\x99s overview of PIAs\ndeveloped by each OA and assessing the overall quality of published PIAs.\n\nPerform an assessment of DOT\xe2\x80\x99s privacy policies\nWe reviewed DOT information management practices for protection of PII, as they relate to\nthe guidelines set forth in Section 522-d of the 2005 Government Appropriations Act.\nPublic Law 107-347, the E-Government Act of 2002, defines \xe2\x80\x9cidentifiable form\xe2\x80\x9d as any\nrepresentation of information that permits the identity of an individual to whom the information applies to be\nreasonably inferred by either direct or indirect means. We performed procedures to assist the OIG in\nevaluating DOT\xe2\x80\x99s information management practices in order to:\n\nA. Determine the accuracy of the descriptions of the use of information in identifiable form\n   while accounting for current technologies and processing methods.\nB. Determine the effectiveness of privacy and data protection procedures by measuring\n   actual practices against established procedural guidelines.\nC. Ensure compliance with the stated privacy and data protection policies of DOT and\n   applicable laws and regulations.\nD. Ensure that all technologies used to collect, use, store, and disclose information in\n   identifiable form allow for continuous auditing of compliance with stated privacy\n   policies and practices governing the collection, use, and distribution of information in\n   operation of the program.\nE. Provide DOT with recommendations, strategies, and specific steps, to improve privacy\n   and data protection management.\n\nWe examined DOT\xe2\x80\x99s PII policies, practices and data protection procedures and mechanisms\nin operation. Specifically, the tasks focused on:\n\n\xe2\x80\xa2   Reviewing DOT\xe2\x80\x99s technology, practices and procedures with regard to the collection,\n    use, sharing, disclosure, transfer and storage of information in identifiable form.\n\xe2\x80\xa2   Reviewing DOT\xe2\x80\x99s stated privacy and data protection procedures with regard to the\n    collection, use, sharing, disclosure, transfer, and security of personal information in\n    identifiable form relating to DOT\xe2\x80\x99s employees and the public.\n\nThe E-Government Act of 2002 requires agencies to conduct a PIA either (1) before\ndeveloping or procuring information technology systems or projects that collect, maintain or\ndisseminate information in identifiable form or (2) when initiating a new electronic collection\nof information in identifiable form for 10 or more persons (excluding agencies,\ninstrumentalities or employees of the federal government). In general, PIAs are required to\nbe performed and updated as necessary where a system change creates new privacy risks, for\nexample, when converting paper-based records to electronic systems. On the other hand, no\nPIA is required where (1) information relates to internal government operations, (2) has\nbeen previously assessed under an evaluation similar to a PIA, or (3) where privacy issues are\nunchanged.\n\n\nAppendix A. Report on the 2007 Review of DOT\xe2\x80\x99s Compliance With Section 522 of\nthe Consolidated Appropriations Act of 2005\n\x0c                                                                                                            20\n\nTo accomplish the above-mentioned objectives, we:\n\n\xc2\x83   Reviewed DOT\xe2\x80\x99s benchmark report to the OIG dated September 26, 2006. This report\n    was prepared in fulfillment of Section 522-c of the Appropriations Act. \xe2\x80\x9c\xe2\x80\xa6Each agency\n    shall prepare a written report of its use of information in an identifiable form, along with its privacy and\n    data protection policies and procedures and record it with the Inspector General of the agency to serve as a\n    benchmark for the agency. Each report shall be signed by the agency privacy officer to verify that the\n    agency intends to comply with the procedures in the report. By signing the report, the privacy officer also\n    verifies that the agency is only using information in identifiable form as detailed in the report.\xe2\x80\x9d\n\xc2\x83   Reviewed DOT\xe2\x80\x99s policies related to safeguarding PII; encryption of sensitive PII and\n    guidelines for the protection of remote PII through secure remote access (SRA). [Policy\n    # 2006-22 Revision 1] of October 11, 2006.\n\xc2\x83   Verified that DOT had identified and maintained an inventory of information systems\n    containing PII and systems requiring PIAs and had conducted PIAs for electronic\n    information systems.\n\xc2\x83   Reviewed a sample of PIAs for the following:\n    o What information was collected (e.g., nature and source).\n    o Why the information was collected (e.g., to determine eligibility).\n    o Intended use of the information (e.g., to verify existing data).\n    o With whom the information was shared (e.g., another agency for a specified\n         programmatic purpose).\n    o What opportunities individuals had to decline to provide information or to consent\n         to particular uses of the information (other than required or authorized uses), and\n         how individuals communicated consent.\n    o How the information was secured from abusive use (e.g., administrative and\n         technological controls).\n\xc2\x83   We selected a representative sample of systems from OST and 10 OAs, and tested\n    technical controls to achieve the PII protection objectives.\n\xc2\x83   Reviewed the nature and use of PII, to determine whether a SORN was required and if\n    required, whether one was published. We further reviewed DOT\xe2\x80\x99s publication of\n    SORNs in the Federal Register and verified that they contained only information about\n    individuals that was "relevant and necessary" to accomplish DOT\xe2\x80\x99s purpose. We verified\n    that this information was updated as necessary.\n\nFor the Fiscal Year 2007 Privacy Assessment, we were not engaged to and did not perform\nprocedures to determine if the inventory of systems containing PII data was exhaustive and\nif DOT had performed procedures to ensure all 429 DOT IT systems within all OAs had\nbeen reviewed for existence of PII information. We reviewed the inventory of 109 PII\nsystems received from the DOT OCIO privacy office in October 2007. From this\npopulation, we selected a representative sample of 20 systems from OST and 10 OAs for\nsubstantive testing. The results and exceptions noted in this report are based on this sample.\n\n\n\n\nAppendix A. Report on the 2007 Review of DOT\xe2\x80\x99s Compliance With Section 522 of\nthe Consolidated Appropriations Act of 2005\n\x0c                                                                                          21\n\nDETAILED RESULTS OF REVIEW\n\n1. Although the DOT OCIO and Privacy Office have established policies and\n   procedures to protect DOT\xe2\x80\x99s PII systems and data, the Privacy Office does not\n   properly monitor its privacy processes for quality compliance with the provisions\n   of Section 522.\n\nThe DOT Privacy Office has made significant progress in addressing its statutory\nresponsibilities under the General Government Act by developing processes to ensure\nimplementation of privacy protections in departmental programs. For example, the Privacy\nOffice has established processes for ensuring departmental compliance with the PIA\nrequirement in the E-Government Act of 2002. Instituting this framework has led to\nincreased attention to privacy requirements on the part of departmental components,\ncontributing to an increase in the number of PIAs issued.\n\nOCIO has addressed its mandate to assure that technologies sustain, and do not erode,\nprivacy protections through a variety of actions, including implementing a weekly scorecard\nof PII compliance, its PIA compliance framework, raising awareness of privacy issues\nthrough a series of workshops, and participating in policy development for several major\nDOT initiatives. The office has also taken action to address its mandate to evaluate\nregulatory and legislative proposals involving the use of personal information by the federal\ngovernment and has coordinated with the DOT Office of General Counsel.\n\nWhile substantial progress has been made in these areas, more work needs to be done in\nother important aspects of DOT\xe2\x80\x99s privacy protection processes. The details of the matter\nare as follows:\n\nGeneral conditions found during the audit\n\xc2\xbe DOT did not provide evidence to support the effectiveness of the procedures used in\n   identifying and securing information systems containing PII. The Privacy Office could\n   not provide evidence that evaluations were performed for all 429 DOT systems that may\n   potentially contain and/or process PII.\n\xc2\xbe DOT Privacy Office had not provided enhanced privacy training to OA Privacy Officers\n   (or their representatives), who are responsible for deploying DOT\xe2\x80\x99s PII policies at their\n   respective OAs. DOT does provide its employees with security awareness training. Per\n   the responses on the OCIO FISMA template for September 2007, only 86% of DOT\n   employees have received security training for fiscal year 2007. Although security\n   protection of PII data was part of these training courses, the agency\xe2\x80\x99s Privacy Officers\n   did not receive enhanced privacy security training to assist them in understanding all\n   integral parts of their job responsibilities.\n\n\n\n\nAppendix A. Report on the 2007 Review of DOT\xe2\x80\x99s Compliance With Section 522 of\nthe Consolidated Appropriations Act of 2005\n\x0c                                                                                                          22\n\nDetailed conditions based on our sample of 20 DOT PII systems\n\xc2\xbe DOT did not provide evidence that the Privacy Office had a structured format to\n   monitor the effectiveness and completeness of PIAs and SORNs implemented by the\n   different OAs on affected systems. (DOT did not have a permanent Departmental\n   Privacy Officer during our review period from October 2007 through January 2008).\n   Limited resources and/or personnel could account for this lack of adequate monitoring\n   resulting in the following:\n   o A PIA had not been performed for 1 of 20 systems in our sample. This system\n       contained public PII and required a PIA.\n   o SORNs were not published for 9 of 20 sample systems tested. While the Privacy\n       Office has reviewed, approved, and issued new SORNs since its establishment in\n       2003, nine sampled systems did not have these notices published. The department is\n       not in compliance with the Office of Management and Budget (OMB) requirements\n       that SORNs be published and reviewed biennially, nor can it be assured that the\n       privacy implications of its many systems that process and maintain PII have been\n       fully and accurately disclosed to the public. These notices should identify, among\n       other things, the type of data collected, the types of individuals about whom\n       information is collected, and the intended uses of the data.\n\xc2\xbe DOT OAs had not established MOUs for 2 of 5 systems from our sample of 20 systems\n   that share privacy data with external agencies. Also, the PIAs reviewed did not provide\n   guidance on privacy information sharing with other agencies. These PIAs did not include\n   measures to escalate requests from federal agencies (law enforcement bureaus) that may\n   require PII for legitimate government business.\n\nSection 522 describes Chief Privacy Officer\xe2\x80\x99s security responsibilities as follows:\n\xe2\x80\x9c\xe2\x80\xa6A: PRIVACY OFFICER: Each agency shall have a Chief Privacy Officer to assume primary\nresponsibility for privacy and data protection policy, including:\n\n1. Assuring that the use of technologies sustain, and do not erode, privacy protections relating to the use,\n   collection, and disclosure of information in an identifiable form.\n2. Assuring that technologies used to collect, use, store, and disclose information in identifiable form allow\n   for continuous auditing of compliance with stated privacy policies and practices governing the collection,\n   use and distribution of information in the operation of the program.\n\n\n\n\nAppendix A. Report on the 2007 Review of DOT\xe2\x80\x99s Compliance With Section 522 of\nthe Consolidated Appropriations Act of 2005\n\x0c                                                                                          23\n\nRecommendations:\n\nWe recommend that DOT:\n\xe2\x80\xa2 Implement a process for the timely review and monitoring of the privacy process to\n   include: inventory of all affected systems; review and approval of PIAs; review and\n   approval of SORNs prior to publication; and periodical updates of both the PIAs and\n   the SORNs.\n\xe2\x80\xa2 Establish MOUs with all third parties who share PII with DOT.\n\xe2\x80\xa2 Implement procedures to ensure all 429 DOT systems are evaluated for existence\n   and/or processing of PII. The DOT Privacy Office inventory identified 109 PII\n   systems out of DOT\xe2\x80\x99s 429 systems. This evaluation should be documented and should\n   cover the remaining 320 of 429 DOT information systems\n\xe2\x80\xa2 Require enhanced privacy security training for Privacy Officers at the different OAs\n   who are responsible for implementing privacy practices at their respective OAs.\n\n2. DOT Technical Controls related to the protection of personally identifiable\n   information need to be strengthened.\n\nThe DOT Privacy Office has made significant effort in carrying out its statutory\nresponsibilities and its related role in ensuring compliance with Section 522 of the General\nGovernment Appropriations Act, notably by establishing a framework for securing data\ncontained in privacy systems. However, our review of a sample of 20 privacy systems\nhighlighted that technical control over access to these systems needed to be strengthened.\nThe details are as follows:\n\n\xc2\xbe Twelve out of 20 sampled PII systems reviewed transmit PII data over DOT\xe2\x80\x99s network\n  in clear unencrypted text. Some of these systems contained public data.\n\xc2\xbe Four out of 20 systems were non-compliant with DOT security policies concerning\n  basic password security requirements. (1) number of login attempts on two systems on\n  our sample (10%) was set to expire after six unsuccessful logon attempts; (2) password\n  parameters for one system requires the password to be changed every 180 days contrary\n  to DOT policy of 90 days; (3) One system had not implemented secure password\n  settings such as password complexity, number of invalid login attempts, session\n  expiration and password expiration.\n\nDepartment of Transportation - Information Technology and Information Assurance\nPolicy (2006-22): states:\n\xe2\x80\x9c\xe2\x80\xa6It is the policy of the DOT that all DOT personnel and contractors comply with the\nprovisions of this policy. DOT will begin to implement the following provisions during the\nfourth quarter of Fiscal Year 2006 for any information technology system that stores,\nprocesses and/or transmits PII.\n\n1. Encrypt all PII wherever it may reside within six months of the issuance of this policy.\n   The encryption methodology employed shall satisfy the requirements set forth in the\n   current National Institute of Standards and Technology Federal Information Processing\n   Standard 140-2, Security Requirements for Cryptographic Modules, May 2001.\n\n\nAppendix A. Report on the 2007 Review of DOT\xe2\x80\x99s Compliance With Section 522 of\nthe Consolidated Appropriations Act of 2005\n\x0c                                                                                         24\n\n    a. Encrypt all data on mobile devices within six months of the issuance of this policy.\n    b. Encryption policies apply to all storage media devices, to include CDs, DVDs, disk\n       drives, USB memory drives, SD cards, etc.\n\nEmployee Awareness Guide to Information Assurance and Technology Security\n(March 2006): states:\n\xe2\x80\x9c\xe2\x80\xa6Passwords are effective only when properly used. Password and/or PIN protected\nscreen savers should be used on all systems and set to activate after 15 minutes of non-use.\nPasswords, at a minimum, must be protected as sensitive information. Passwords should\nnever be written down.\n\nMandatory Password Changes:\nPasswords are required to be changed as indicated below:\n\n\xc2\xbe Every 90 days for general users.\n\xc2\xbe Every 30 days for systems administrators.\n\xc2\xbe Immediately upon completion of an investigation of a known or suspected compromise.\n\xc2\xbe The password and associated user account must be suspended within one day if the\n  user\xe2\x80\x99s access is removed for reasons of pending or current punitive actions.\n\xc2\xbe When the user leaves the organization or no longer requires access for a period greater\n  than three months, the password must be changed as soon as possible, but no later than\n  three days.\n\xc2\xbe After three invalid login attempts, the password and login ID should be suspended\xe2\x80\xa6\xe2\x80\x9d\n\nRecommendations:\n\nWe recommend that DOT:\n\xe2\x80\xa2 Implement encryption of data transmitted over the agency\xe2\x80\x99s communication\n   infrastructure with emphasis on encryption of systems containing privacy data.\n\xe2\x80\xa2 Upgrade all systems containing sensitive personally identifiable information that are\n   unable to support secure computing practices. Alternatively, privacy data contained in\n   these systems should be removed or transferred to more secure platforms.\n\xe2\x80\xa2 Periodically review the agency\xe2\x80\x99s information systems to ensure they are in compliance\n   with DOT IT security policies.\n\n\n\n\nAppendix A. Report on the 2007 Review of DOT\xe2\x80\x99s Compliance With Section 522 of\nthe Consolidated Appropriations Act of 2005\n\x0c                                                                                                             25\n\n\n           APPENDIX B. MANAGEMENT COMMENTS\n\n\n\n           U.S. Department of\n           Transportation\n                                                                         Memorandum\n           Office of the Secretary\n           of Transportation\n\nSubject:                                                                              Date:    August 19, 2008\n              INFORMATION: OIG Privacy Audit\n                                                                                   Reply to\n  From:                                                                            Attn. of:\n\n              Daniel G. Mintz\n              Chief Information Officer\n    To:\n              Rebecca C. Leng, Office of the Inspector General\n\n\n              We concur with the OIG findings and all but one recommendation. Regarding the organizational\n              positioning of the Privacy Officer we suggest taking a slightly different approach and suggest we\n              relook where we are next year.\n\n              We developed a plan of action to implement the report\xe2\x80\x99s recommendations which will help us\n              achieve compliance with OMB requirements for protecting privacy in Federal government\n              agencies. We are in the process of acquiring and implementing technology to assist the\n              Department in protecting the PII within the Department\xe2\x80\x99s information technology systems and\n              infrastructure. Specific responses to each of the report\xe2\x80\x99s nine (9) recommendations follow:\n\n              OIG Recommendation 1: Require system owners to submit evaluation results on whether PII\n              exists in the 320 systems that were not included in the DOT Privacy Office inventory.\n\n              OCIO Response: Concur. In August 2007, all DOT systems were evaluated through the\n              Survey of Department of Transportation Systems Containing Personally Identifiable\n              Information. Although this survey was comprehensive and included all DOT systems, during\n              the course of the contractor review, the Office transitioned to a new privacy officer and not all\n              records were available for review. These records have now been made available to OIG.\n              OCIO has also initiated additional measures to ensure appropriate oversight of PII. For\n              example, quarterly C&A compliance reviews are evaluated to determine if the system contains\n              PII and if it has a PIA and SORN. In addition, OCIO is considering requiring system owners to\n              conduct a Privacy Threshold Analysis (PTA) to determine, during initial certification and\n              recertification, whether the system contains PII. This information would be reported to OCIO.\n              OCIO has set a target to implement this requirement by the end of March 2009.\n\n              OIG Recommendation 2: Require system owners of sampled systems to correct privacy\n              protection deficiencies identified in the areas of missing SORNs, PIAs, and MOU with outside\n              agencies when sharing PII; notify system owners of remaining PII systems to check whether\n              they need to take similar corrective actions.\n\n              OCIO Response: Concur. OCIO has achieved considerable progress in this area as a result\n              of this audit and the trend is continuing. OCIO has notified the system owners of any missing\n              or outdated SORNs and PIAs. OCIO will take action to notify all owners of systems of PII to\n              address and update memoranda of understanding with outside agencies. This\n              recommendation will be fully implemented by the end of March 2009.\n\n\n\n           Appendix B. Management Comments\n\x0c                                                                                              26\n\n\n OIG Recommendation 3: Require OA Privacy Officers to implement a process under which\n future systems are subject to periodic review to ensure that SORNs are initiated and posted,\n PIAs are developed, and MOU with outside agencies are documented: and that such elements\n are appropriately updated when systems undergo change.\n\n OCIO Response: Concur. The recommended actions coincide with DOT\xe2\x80\x99s privacy policy. This\n recommendation will be implemented through appropriate direction to operating administration\n CIO\xe2\x80\x99s and Privacy Officers, and in DOT CIO Policy by the end of March 2009.\n\n OIG Recommendation 4: Encrypt all PII data transmitted over the Department\xe2\x80\x99s\n communications network.\n\n OCIO Response: Concur. OCIO agrees with the requirement to encrypt all PII data\n communications. OCIO is presently planning to conduct a detailed analysis of systems and\n encryption requirements and anticipates that this analysis will be completed by the end of\n March 2009. At that time, OCIO will detail an action plan to implement encryption requirements\n consistent with the results of the analysis.\n\n OIG Recommendation 5: Require system owners of sampled systems to correct security\n deficiencies concerning password security controls, invalid log-in attempts, and sessions time-\n out expiration; and notify system owners of remaining PII systems to check whether the need\n to take similar corrective actions.\n\n OCIO Response: Concur. We anticipate that the systems with PII can be secured by the end\n of July 2009. We will address the issues identified in the report to OA CIOs, ISSOs, Privacy\n Officers, System Owners and other responsible parties.\n\n OIG Recommendation 6: Require OA Privacy Officers to implement a process under which\n periodic performance checks are carried out to ensure that all PII systems remain in full\n compliance with DOT security policies.\n\n OCIO Response: Concur. OCIO will initially issue a Directive by the end of Q1 FY2009 that\n identifies OCIO\xe2\x80\x99s expectations for conducting performance checks to remain in full compliance\n with security policies. A final policy memorandum will incorporate feedback obtained in the\n Directive phase, and will be issued by the end of Q2 FY2009.\n\n OIG Recommendation 7: Require system owners of sampled systems to correct security\n deficiencies found in their Web sites and notify system owners of remaining PII systems to\n check whether they need to take similar corrective actions.\n\n OCIO Response: Concur. OCIO will provide written notification to the modal Privacy Officers\n and owners of sampled systems to correct security deficiencies found in their Web sites. OCIO\n will also direct modal Privacy Officers, ISSO\xe2\x80\x99s, and CIO\xe2\x80\x99s to work with the owners of all\n systems to identify necessary corrective actions and develop corrective plans by the end of Q2\n FY2009.\n\n OIG Recommendation 8: Provide enhanced privacy security training for OA Privacy Officers,\n who are responsible for implementing annual privacy practices in their respective\n organizations.\n\n OCIO Response: Concur. We have recommended specialized training available to OA\n Privacy Officers. OCIO will establish specialized training requirements \xe2\x80\x93 both content and\n frequency \xe2\x80\x93 in written policy by the end of Q2 FY2009.\n\n\n\n\nAppendix B. Management Comments\n\x0c                                                                                                 27\n\n OIG Recommendation 9: Increase the visibility of the DOT Privacy Program by having the\n Departmental Privacy Officer report directly to the Chief Information and Privacy Officer\n\n OCIO Response: Concur in part - The tradeoff between following this recommendation and\n keeping the Privacy Officer in its current organizational location is between increased visibility\n and the synergies that we believe exists for many of the privacy goals and security goals and\n implementation plans as well as the ability to make more efficient use of staff collectively.\n\n It is not entirely clear to us how many of the issues identified in the report are due to the\n personnel changes that were going on during the time of the analysis and thus, how much\n making this one change, would achieve. We propose leaving the structure as is for the next\n year \xe2\x80\x93 fiscal year 2009, focusing on implementing the suggested changes, enhancing a\n number of associated internal auditing reviews, and developing more transparent\n measurements of status. At the end of FY2009, we will relook the status, evaluate how well the\n office is doing, and determine whether an organizational change would be a good step.\n\n\n\n\nAppendix B. Management Comments\n\x0c'